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Abstract. In this paper we study the fault codiagnosis problem for dis- 
crete event systems given by finite automata (FA) and timed systems 
given by timed automata (TA). We provide a uniform characterization 
of codiagnosability for FA and TA which extends the necessary and suffi- 
cient condition that characterizes diagnosability. We also settle the com- 
plexity of the codiagnosability problems both for FA and TA and show 
that codiagnosability is PSPACE-complete in both cases. For FA this 
improves on the previously known bound (EXPTIME) and for TA it is 
a new result. Finally we address the codiagnosis problem for TA under 
bounded resources and show it is 2EXPTIME-complete. 

1 Introduction 

Discrete-event systems [16'17J (DES) can be modelled by finite automata (FA) 
over an alphabet of observable events S. 

The fault diagnosis problem is a typical example of a problem under partial 
observation. The aim of fault diagnosis is to detect faulty sequences of the DES. 
The assumptions are that the behavior of the DES is known and a model of it 
is available as a finite automaton over an alphabet Z' U {r, /}, where U is the 
set of observable events, r represents the unobservable events, and / is a special 
unobservable event that corresponds to the faults: this is the original framework 
introduced by M. Sampath et al. [18) and the reader is referred to this paper 
for a clear and exhaustive introduction to the subject. A faulty sequence is a 
sequence of the DES containing an occurrence of event /. An observer which 
has to detect faults, knows the specification/model of the DES, and it is able 
to observe sequences of observable events. Based on this knowledge, it has to 
announce whether an observation it makes (in S*) was produced by a faulty 
sequence (in {S U {t, /})*) of the DES or not. A diagnoser (for a DES) is an 
observer which observes the sequences of observable events and is able to detect 
whether a fault event has occurred, although it is not observable. If a diagnoser 
can detect a fault at most A stepq^ after it has occurred, the DES is said to be 
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Z\-diagnosable. It is diagnosable if it is Z\-diagnosable for some Z\ e N. Checking 
whether a DES is Z\-diagnosable for a given A is called the bounded diagnos ability 
problem; checking whether a DES is diagnosable is the diagnos ability problem. 

Checking diagnosability for a given DES and a fixed set of observable events 
can be done in polynomial time using the algorithms of [13121) . If a diagnoser 
exists there is a finite state one. Nevertheless the size of the diagnoser can be 
exponential as it involves a determinization step. The extension of this DES 
framework to timed automata (TA) has been proposed by S. Tripakis in |19j . 
and he proved that the problem of checking diagnosability of a timed automaton 
is PSPACE-complete. In the timed case, the diagnoser may be a Turing machine. 
The problem of checking whether a timed automaton is diagnosable by a diag- 
noser which is a deterministic timed automaton was studied by P. Bouyer et 
al. [5]. 

Codiagnos ability generalizes diagnosability by considering decentralized ar- 
chitectures. Such decentralized architectures have been introduced in 10 and 
later refined in |20I15J. In these architectures, local diagnosers (with their own 
partial view of the system) can send to a coordinator some information, sum- 
marizing their observations. The coordinator then computes a result from the 
partial results of the local diagnosers. The goal is to obtain a coordinator that 
can detect the faults in the system. When local diagnosers do not communicate 
with each other nor with a coordinator (protocol 3 in [10]), the decentralized 
diagnosis problem is called codiagnosis [15120] . In this case, codiagnosis means 
that each fault can be detected by at least one local diagnoser. In the paper [T5] . 
codiagnosability is considered and an algorithm to check codiagnosability is pre- 
sented for discrete event systems (FA). An upper bound for the complexity of 
the algorithm is EXPTIME. In [20], the authors consider a hierarchical frame- 
work for decentralized diagnosis. In [3] a notion of robust codiagnosability is 
introduced, which can be thought of as a fault tolerant (local diagnosers can 
fail) version of codiagnosability. 

None of the previous papers has addressed the codiagnosability problems for 
timed automata. Moreover, the exact complexity of the codiagnosis problems is 
left unsettled for discrete event systems (FA). 

Our Contribution. In this paper, we study the codiagnosability problems for FA 
and TA. We settle the complexity of the problems for FA (PSPACE-complete), 
improving on the best known lower bound (EXPTIME). We also address the 
codiagnosability problems for TA and provide new results: algorithms to check 
codiagnosability and also codiagnosability under bounded resources. Our contri- 
bution is both of theoretical and practical interests. The algorithms we provide 
are optimal, and can also be implemented using standard mo del- checking tools 
like SPIN [12] for FA, or UPPAAL [i] for TA. This means that very expressive 
languages can be used to specify the systems to codiagnose and very efficient 
implementations and data structures are readily available. 

Organisation of the Paper. Section [5] recalls the definitions of finite automata 
and timed automata. We also give some results on the Intersection Emptiness 
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Problems fsection r2.6p that will be used in the next sections. Section[3]introduces 
the fault codiagnosis problems we are interested in, and a necessary and sufficient 
condition that characterizes codiagnosability for FA and TA. Section |4] contains 
the first main results: optimal algorithms for the codiagnosability problems for 
FA and TA. Section [3] describes how to synthesize the codiagnosers and the 
limitations of this technique for TA. Section IH] is devoted to the codiagnosability 
problem under bounded resources for TA and contains the second main result 
of the paper. 

2 Preliminaries 

IJ denotes a finite alphabet and = S U {t} where t i7 is the unobservable 
action. B = {true, false} is the set of boolean values, N the set of natural 
numbers, Z the set of integers and Q the set of rational numbers. R is the set 
of real numbers and R>o (resp. ]R>o) is the set of non-negative (resp. positive) 
real numbers. We denote tuples (or vectors) hy d — (di, • • ■ ,dk) and write d[i] 
for di. 

2.1 Clock Constraints 

Let AT be a finite set of variables called clocks. A clock valuation is a mapping 

V : X ^ R>o- We let M>q be the set of clock valuations over X. We let Ox 
be the zero valuation where all the clocks in X are set to (we use when 
X is clear from the context). Given (5 G R, + 5 is the valuation defined by 
(v + S)(x) = v{x) + S. We let C{X) be the set of convex constraints on X, 
i.e., the set of conjunctions of constraints of the form x txi c with c £ Z and 
[xi£ {<, <, =, >, >}. Given a constraint g G C{X) and a valuation v, we write 

V \= g ii g is satisfied by the valuation v. We also write {gj for the set {z; | u ^ g}. 
Given a set i? C A and a valuation v of the clocks in X, v[R] is the valuation 
defined by v[R]{x) — v{x) ii x ^ R and v[R]{x) — otherwise. 

2.2 Timed Words 

The set of finite (resp. infinite) words over E is S* (resp. E'^) and we let 
X;°° = U* U S". A language L is any subset of A finite (resp. infinite) 
timed word over Z' is a word in (R>o.i^)*.R>o (resp. (R>o.i^)'^). Duration{w) 
is the duration of a timed word w which is defined to be the sum of the du- 
rations (in R>o) which appear in w; if this sum is infinite, the duration is oo. 
Note that the duration of an infinite word can be finite, and such words which 
contain an infinite number of letters, are called Zeno words. We let Unt{w) be 
the untimed version of w obtained by erasing all the durations in w. An example 
of untiming is [/nt(0.4 a 1.0 b 2.7 c) = abc. In this paper we write timed words 
as 0.4 a 1.0 b 2.7 c - • ■ where the real values are the durations elapsed between 
two letters: thus c occurs at global time 4.1. 
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TW*{S) is the set of finite timed words over U, TW^iU), the set of infinite 
timed words and TWiS) = TW* {Z:)UTW'^ (S). A timed language is any subset 
of TW{S). 

Let TTs' be the projection of timed words of TW{X!) over timed words of 
TW{S'). When projecting a timed word w on a sub-alphabet S' C Z", the 
durations elapsed between two events are set accordingly: for instance for the 
timed word 0.4 a 1.0 b 2.7 c, we have 7r{a c}(0-4 a 1.0 b 2.7 c) = 0.4 a 3.7 c 
(note that projection erases some letters but keep the time elapsed between two 
letters). Given a timed language L, we let Unt{L) — {Unt{w) \ w £ L}. Given 
E' C S, TTs'{L) ^ {tvs'{w) \w€L}. 

2.3 Timed Automata 

Timed automata are finite automata extended with real-valued clocks to specify 
timing constraints between occurrences of events. For a detailed presentation of 
the fundamental results for timed automata, the reader is referred to the seminal 
paper of R. Alur and D. Dill [2]. 

Definition 1 (Timed Automaton). A Timed Automaton A is a tuple {L, Iq, 
X, Sr, E, Inv, R) where: 

— L is a finite set of locations; 

— Iq is the initial location; 

— X is a finite set of clocks; 

— S is a finite set of actions; 

— E C Lx C{X) X S^x2^ X L is a finite set of transitions; in a transition 
{£, g,a,r,£'), g is the guard, a the action, and r the reset set; as usual we 
often write a transition i ^'""'^ > £' ; 

— Inv G C{X)^ associates with each location an invariant; as usual we require 
the invariants to be conjunctions of constraints of the form x ^ c with 

{<,<}; 

— F <Z L (resp. R C_ L) is the final (resp. repeated^ set of locations. I 

The size of a TA A is denoted \A\ and is the size of the clock constraints i.e., the 
size of the transition relation E. A state of A is a pair {t,v) G L x M>q. A run 
Q oi A from {Io,vq) is a (finite or infinite) sequence of alternating delay and 
discrete moves: 

Q = (io, Vo) ^ {io, Vq + Sq) ^ {h,Vl) ■ ■ ■ ""'S (C Vn) ^ {£„, V„ + 6n) ■ ■ ■ 

s.t. for every i > 0: 

— Vi+6 \= Inv{ti) for < 5 < 5i] 

— there is some transition {£i,gi,ai,ri,£i-f-i) G E s.t. : (i) Vi + Si ^ g.;, (ii) 
Vi+i = {vi + 6i)[ri]. 
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The set of finite (resp. infinite) runs in A from a state s is denoted Runs* (s, A) 
(resp. Rund^{s,A)). We let Runs*{A) = Runs*{sQ,A), Rund^{A) = Runs'^{so,A) 
with So = {lo,0), and Runs(A) — Runs* (A) U Runs^{A). If g is finite and ends 
in s„, we let last{g) = s„. Because of the denseness of the time domain, the 
unfolding of A as a graph is infinite (uncountable number of states and delay 
edges). The trace, tr(g), of a run g is the timed word 7Ts{Soaadiai ■ ■ ■ a„(5„ • • • )• 
The duration of the run g is Duration{g) — Duration{tr{g)) . For V C Runs{A), 
we let Tr{V) — {tr{g) \ g G V}, which is the set of traces of the runs in V . 

A finite (resp. infinite) timed word w is accepted by A if it is the trace of 
a run of A that ends in an i^-location (resp. a run that reaches infinitely often 
an i?- location) . C*{A) (resp. C^IA)) is the set of traces of finite (resp. infinite) 
timed words accepted by A, and C{A) ~ C* {A)\J [A) is the set of timed words 
accepted by A. 

In the sequel we often omit the sets R and F in TA and this implicitly means 
F = L and R = 0. 

A timed automaton A is deterministic if there is no r labelled transition in 
A, and if, whenever {£, g, a, r, £') and {£, g\ a, r' , £") are transitions of A, g A g' = 
FALSE. A is complete if from each state (^, w), and for each action a, there is a 
transition {£,g,a,r,£') such that v \= g. We note DTA the class of deterministic 
timed automata. 

A finite automaton is a particular TA with X — 0. Consequently guards 
and invariants are vacuously true and time elapsing transitions do not exist. We 
write A — (Q, qq, Sr, E, F, R) for a finite automaton. A run is thus a sequence 
of the form: 

g = £q — >h > • • • 

where for each i > 0, {£i,ai,ii+i) £ E. Definitions of traces and languages are 
the same as for TA. For FA, the duration of a run g is the number of steps 
(including r-steps) of g: if g is finite and ends in £„, Duration{g) — n and 
otherwise Duration{g) = oo. 

2.4 Region Graph of a Timed Automaton 

A region of M>q is a conjunction of atomic constraints of the form x [xi c or 
X — y c with c £ Z, {<,<,=,>,>} and x,y G X. The region graph 
RG{A) of a TA A is a finite quotient of the infinite graph of A which is time- 
abstract bisimilar to A [2j. It is a finite automaton on the alphabet E' = E\J{t}. 
The states of RG{A) are pairs {£, r) where ^ G L is a location of A and r is a 
region of R>o. More generally, the edges of the graph are tuples (s, t, s') where 
s, s' are states of RG{A) and t G E' . Genuine unobservable moves of A labelled 
T are labelled by tuples of the form (s, (g, r, r), s') in RG{A). An edge (5, A, R) in 
the region graph corresponds to a discrete transition of A with guard g, action 
A and reset set R. A t move in RG{A) stands for a delay move to the time- 
successor region. The initial state of RG{A) is (/o,0). A final (resp. repeated) 
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state of RG{A) is a state (£, r) with i ^ F (resp. £ G i?). A fundamental property 
of the region graph [5] is: 

Theorem 1 (R. Alur and D. Dill, |2]). C{RG{A)) = Unt{C{A)). 
In other words: 

1. if w is accepted by RG{A), then there is a timed word v with Unt{v) = w 
s.t. w is accepted by A. 

2. if V is accepted by A, then Untiw) is accepted RG{A). 

The (maximum) size of the region graph is exponential in the number of clocks 
and in the maximum constant of the automaton A (see [5]): \RG{A)\ — \L\ ■ \X\\ ■ 
2W ■ X 1^1 where K is the largest constant used in A. 

2.5 Product of Timed Automata 

Given a n locations ^i,--- ,i'n, we write i for the tuple (^i,--- and let 
= li. Given a letter a G U • • • U Z"", we let I{a) = {fc | a £ Z*^}. 

Definition 2 (Product of TA). Let A, = {L,,ll,X,, Z;, i;,;, /w^), i G 
{I,-- - 6e n TA s.t. Xi n Xj = /or i ^ j. The product of the Ai is 

the TA A — Ai X ■ ■ ■ X An = (L, Iq, X, Sr, E, Inv) given by: 

L — L\ X ■ • • X Ljiy 

- h = {Iq, - • ■ , Iq); 

- Z = ^1 U • ■ • U Z"; 

- X = Xi U---UX„; 

- E CLx C{X) X Sr X 2^ X L and (£,g,a,r,l') G E if: 

• either a E S \ {t}, and 

1. for each k G I{a), (i[k],gk,a,rk,I [k]) G Ek, 
2- 9 = Akei(a)9k and r = Ukei(a)rk; 
3. fork^I{a), £'[k] ^I[k]; 

• or a = T and 3j s.t. (i[j],gj,T,rj,l [j]) E Ej, g ^ g^, r = r^ and for 
k^ i'[k] = I[k]. 

- Inv{£) = A'^^Jnvieik]). U 

This definition of product also applies to finite automata (no clock constraints). 

If the automaton Ai has the set of final locations Fi then the set of final 
locations for ^ is Fi x ■ • • x . For Biichi acceptance, we add a counter c 
to A which is incremented every time the product automaton A encounters 
an f?i-location in Ai, following the standard construction for product of Biichi 
automata. The automaton constructed with the counter c is A'^ . The repeated 
set of states of A~^ is Li x • ■ • x L„_i x Ln x {n}. As the sets of clocks of the 
Ai^s are disjointd, the following holds: 

Fact 1 C*iA) = nf^i/:*(A,) and £"(A+) = n'^^^C'^ (A,) . 

^ For finite automata, this is is vacuously true. 
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2.6 Intersection Emptiness Problem 

In this section we give some complexity results for the emptiness problem on 
products of FA and TA. 

First consider the following problem on deterministic finite automata (DFA): 
Problem 1 (Intersection Emptiness for DFA) 

Inputs: n deterministic finite automata Ai,l < i < n, over the alphabet S. 
Problem: Check whether nf^i£*(Aj) 7^ 0. 

The size of the input for Problem [T] is 

Theorem 2 (D. Kozen, [14j). ProblemU\is PSPACE-complete. 

D. Kozen's Theorem also holds for Biichi languages: 

Theorem 3. Checking whether n^^i£"(Ai) ^ is PSPACE-complete. 

We establish a variant of Theorem [5] which will be used later in the paper: we 
show that Problem [1] is PSPACE-hard even if ^2 , ■ ' " : An are automata where 
all the states are accepting and Ai is the only automaton with a proper set of 
accepting states (actually one accepting state is enough). 

Proposition 1. Let Ai,l < i < n be n DTA over the alphabet S. If for all 
Ai,2 < i < n, all states of Ai are accepting, Problem[^is already PSPACE-hard. 

Proof. Let Ai,A2,--- ,An be n deterministic automata with accepting states 
Fi,F2, ■■■ ,Fn on the alphabet S. Let A be a fresh letter not in S. Define 
automaton A'^ by: from any state q in Fi, add a transition (g, A, _L) where _L 
is new state. Let F{ — {_L} and be all the states of A'^. It is clear that 
C*{A[) = C*iAi).X. 

We can prove that nf^i/:*(A,) ^ n2^J^C*{A'^) ^ 0. Indeed, assume 

1^ G n"^i£*(Ai) ^ 0. Then Ai x A2 x ■ ■ ■ x A„ reaches the state (qi, 92, • • • ,9™) 
after reading w and Vl < i < n, qi <E Fi. Thus in A[x A2X ■ ■ ■ x A'^ the same state 
can be reached and then A can be fired in the product leading to (_L, -L, ■ • ■ , -L). 
Conversely, if a word w is accepted by the product A[ x ■ ■ ■ x A'^, w must end 
with A. Let w = u.X G Cif^iC* {A'i) ^ 0. After reading u the state of the product 
must be (qi, 92, • ■ • , Qn) with VI < i < n, G Fi, and the transitions fired when 
reading u are also in x ^2 x • • • x which implies u G Pif^i£*{Ai). □ 

The next results are counterparts of D. Kozen's results for TA. 

Problem 2 (Intersection Emptiness for TA) 

Inputs: n TA Ai = {Li, l}^, Xi, S!^, Ei, Invi, Fi) , 1 < i < n with Xk D Xj = 
for k ^ j. 

Problem: Check whether nf^^jC*{Ai) ^ 0. 
Theorem 4. Problem\^is PSPACE-complete. 
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Proof. PSPACE-hardness follows from the fact that checking r\f^^C*{Ai) ^ 
on finite automata is already PSPACE-hard [2] or alternatively because reach- 
ability for timed automata is PSPACE-hard [2]. 

PSPACE-easiness can be established as Theorem 31 (section 4.1) of [I]: the 
regions of the product of TA Ai can be encoded in polynomial space in the 
size of the clock constraints of the product automaton. An algorithm to check 
emptiness is obtained by: 1) guessing a sequence of pairs (location, region) in the 
product automaton and 2) checking whether it is accepted. This can be done in 
NPSPACE and by Savitch's Theorem in PSPACE. □ 

The previous theorem extends to Biichi languages: 

Problem 3 (Biichi Intersection Emptiness for TA) 

Inputs: n TA = {L^, l^, Xi, Hi, E^, Inv^, R^) , 1 < i < n with Xk f) Xj = 
for k^j. 

Problem: Check whether n'^^^C^ (Ai) ^ 0. 
Theorem 5. Problem\^is PSPACE-complete. 

Proof. PSPACE-hardness follows from the reduction of Problem[2]to Problem[3] 
or again because checking Biichi emptiness for timed automata is PSPACE- 
hard [2]. 

Consider the product automaton A'^ the construction of which is described 
at the end of section [231 PSPACE-easiness is established by: 1) guessing a state 
of RG{A~^) of the form ((?, n), r) and 2) checking it is reachable from the initial 
state (PSPACE) and reachable from itself (PSPACE). As n is represented in 
binary the result follows. □ 

3 Fault Codiagnosis Problems 

We first recall the basics of fault diagnosis. The purpose of fault diagnosis |18) 
is to detect a fault in a system as soon as possible. The assumption is that 
the model of the system is known, but only a subset So of the set of events S 
generated by the system are observable. Faults are also unobservable. 

Whenever the system generates a timed word w G TW*{S), an external 
observer can only see -ksAw). If an observer can detect faults under this partial 
observation of the outputs of A, it is called a diagnoser. We require a diagnoser 
to detect a fault within a given delay Z\ G N. 

To model timed systems with faults, we use timed automata on the alphabet 
UtJ — £'rU{/} where / is the faulty (and unobservable) event. We only consider 
one type of fault, but the results we give are valid for many- types of faults 
{/ii /2, • ■ • , fn}- indeed solving the many- types diagnosability problem amounts 
to solving n one- type diagnosability problems [3T]. The observable events are 
given hy So '~= S and r is always unobservable. 

The idea of decentralized or distributed diagnosis was introduced in [10|. It 
is based on decentralized architectures: local diagnosers and a communication 
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protocol. In these architectures, local diagnosers (with their own partial view of 
the system) can send to a coordinator some information, using a given communi- 
cation protocol. The coordinator then computes a result from the partial results 
of the local diagnosers. The goal is to obtain a coordinator that can detect the 
faults in the system. When local diagnosers do not communicate with each other 
nor with a coordinator (protocol 3 in [lOjV the decentralized diagnosis problem 
is called codiagnosis jl5l20j . In this section we formalize the notion of codiag- 
nosability introduced in [T^ in a style similar to |5]. This allows us to obtain a 
necessary and sufficient condition for codiagnosability of FA but also to extend 
the definition of codiagnosability to timed automata. 

In the sequel we assume that the model of the system is a TA A — {L,lo,X, 
Sr.f, E,Inv) and is fixed. 

3.1 Faulty Runs 

Let Z\ e N. A run g of A of the form 

(4,-yo) ^ (4,Wo + 5o) (^l,Wl) ••• {£n,Vn) {£n,Vn + S) ■■■ 

is Z\-faulty if: (1) there is an index i s.t. a.i = f and (2) the duration of g' = 

{£i, Vi) ■ ■ ■ {in, Vn + 6n) • • • is larger than A. We let Faulty^^{A) be the 
set of Zi-faulty runs of A. Note that by definition, \i A' > A then Faulty--,^, [A) C 
Faulty-^ ^{A) . We let Faulty{A) = a>o Faulty A) = Faulty-^Q^A) be the set 
of faulty runs of A, and NonFaulty(A) — Runs{A) \ Faulty{A) be the set of 
non-faulty runs of A. Finally, we let 

Faulty^^^iA) = Tr{Faultyy^{A)) 

and 

NonFaulty''{A) = Tr{NonFaulty{A)) 

which are the traced of Z\-faulty and non-faulty runs of A. 

We also make the assumption that the TA A cannot prevent time from 
elapsing. For FA, this assumption is that from any state, a discrete transition 
can be taken. If it is not case, r loop actions can be added with no impact on 
the (co)diagnosability status of the system. This is a standard assumption in 
diagnosability and is required to avoid taking into account these cases that are 
not interesting in practice. 

For discrete event systems (FA), the notion of time is the number of transi- 
tions (discrete steps) in the system. A Z\-faulty run is thus a run with a fault 
action / followed by at least A discrete steps (some of them can be r or even / 
actions). When we consider codiagnosability problems for discrete event systems, 
this definition of Z\-faulty runs apply. The other definitions are unchanged. 

^ Notice that tr{g) erases r and /. 
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Remark 1. Using a timed automaton where discrete actions are separated by one 
time unit is not equivalent to using a finite automaton when solving a fault di- 
agnosis problem. For instance, a timed automaton can generate the timed words 
l./.l.a and l.T.l.r.l.a. In this case, it is 1-diagnosable: after reading the timed 
word 2. a we announce a fault. If we do not see the 1-time unit durations, the 
timed words f.a and T^.a give the same observation. And thus it is not diagnos- 
able if we cannot measure time. Using a timed automaton where discrete actions 
are separated by one time unit gives to the diagnoser the ability to count/measure 
time and this is not equivalent to the fault diagnosis problem for FA (discrete 
event systems). 

3.2 Codiagnosers and Codiagnosability Problems 

A codiagnoser is a tuple of diagnosers, each of which has its own set of observable 
events Ei, and whenever a fault occurs, at least one diagnoser is able to detect it. 
In the sequel we write tt^ in place of 'n Si for readability reasons. A codiagnoser 
can be formally defined as follows: 

Definition 3 ((Z\. i?)-Codiagnoser). Let A be a timed automaton over the 
alphabet Sr.f, Z\ e N and £ — {Si)i<i<n be a family of subsets of E. A {A,£)- 
codiagnoser for A is a mapping D — [Di, • ■ • , _D„) with Di : TW*{Ei) — > {0, 1} 
such that: 

— for each g G NonFaulty{A), Y^^=i ii'^AQ))) — 0; 

- for each g G FauHy^^{A), EtlD[^]{■^^{tr{g))) > 1. ■ 

As for diagnosability, the intuition of this definition is that (i) the codiagnoser 
will raise an alarm (D outputs a value different from 0) when a Z\-faulty run has 
been identified, and that (ii) it can identify those Z\-faulty runs unambiguously. 
The codiagnoser is not required to do anything special for Z\'-faulty runs with 
A' < A (although it is usually required that once it has announced a fault, it 
does not change its mind and keep outputting 1). 

A is {A, f )-codiagnosable if there exists a {A, £')-codiagnoser for A. A is 
f-codiagnosable if there is some Z\ G N s.t. A is (zi, f )-codiagnosable. 

The standard notions [TH] of Z\-diagnosability and Z\-diagnoser are obtained 
when the family £ is the singleton £ = {E}. The fundamental codiagnosability 
problems for timed automata are the following: 

Problem 4 ((Z\, f )-Codiagnosability) 

Inputs: A TA A= {L,lo,X,Erj,E,Inv), Z\ G N and £ = {Ei)i<i<n- 
Problem: Is A {A,£)-codiagnosable? 

Problem 5 (Codiagnosability) 

Inputs: A TA A^ {L,lQ,X,Erj,E,Inv) and £ = (Z'j)i<j<„. 
Problem: Is A £-codiagnosable? 
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Problem 6 (Optimal delay) 

Inputs: A TA {LJo,X,Srj,E,Inv) and £ = (Z'j)i<j<„. 

Problem: If A is £-codiagnosable, what is the minimum A s.t. A is (Z\,£)- 

codiagnosable? 

The size of the input for Problem 2] is \A\ + log A + n ■ \2J\, and for Problems [5] 
andlHit is \A\ + n ■ 

In addition to the previous problems, we will consider the construction of a 
(Z\, f )-codiagnoser when A is (Z\, f )-codiagnosable in section [5] 

3.3 Necessary and Sufficient Condition for Codiagnosability 

In this section we generalize the necessary and sufficient condition for diagnos- 
ability [19 8 to codiagnosability. 

Lemma 1. A is not {A,£)-codiagnosahle if and only if3g £ Faultyy^{A) and 
yi <i <n, 3gi G NonFaulty{A) s.t. 7ri{tr{g)) = n .i{tr{Qi)) . (1) 

Proof. 

— Only if part. Assume equation ((TJ holds and A is (Z\, f )-codiagnosable. Then 
there is a codiagnoser D = {Di,--- satisfying Definition [31 For each 
Qi we must have Di(7Ci(t'r{gi))) = because each gi is non faulty. But we 
must also have for at least one index i, Di{-Ki{tr{gi))) ~ Di{TVi{tr{g))) = 1 
because g is Z\-faulty, which is impossible. 

— If part. Assume A is not (Z\, f )-codiagnosable and Vg £ Faulty^^{A), equa- 
tion ([IJ does not hold. In this case, there is an index 1 < i < n s.t. : 

Vg' G NonFaulty{A), 7T^{tr{g)) ^ 7T,{tr{g')). 

Define Di{w) — 1 when w € iTi {Faulty*^ ^{A)) \ TT,{NonFaulty*''{A)) and 
otherwise. Then D = {Di,--- ,Dn) is a Z\-codiagnoser for A. Indeed, let 
g S NonFaulty{A). Then Tri{tr{g)) G ni{NonFaulty*^{A)) and this implies 
that Di{-Ki{tr{g))) ~ 0. Let g G Faulty^^{A) and assume D i{tr{g))) = 
for each 1 < i < n. By definition of Di we must have TTi{tr{g)) G 
-Ki{NonFaulty*''^{A)). In this case, there is some run gi G NonFaulty{A) 
s.t. ■Ki{tr{g)) — TXi{tr{gi)) and thus equation ((TJ holds which contradicts 
the initial assumption. □ 

Using Lemma[TJ we obtain a language based characterisation of codiagnosability 
extending the one given in [TOIH] . Let Tv-^{X) ^{we TW*{S) I 7r,(w) G X}. 

Lemma 2. A is (A, £)-codiagnosable if and only if 

Faulty'{^{A) n ( f] TTr\n,{NonFaulty'''{A)))\ = 0. (2) 
^ 1=1 ^ 
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Proof. Assume equation [5] does not hold and let w G Faulty'^ ^{ A) , and for each 
1 < i < n, w e Tv^^ [TTi{NonFaulty*''{A))) . This implies that: 

- 3g Faultyy ^{A) s.t. tr{Q) — w; 

- for each i, w e tv^^ [■K^{NonFaulty^''{A))) and 'iri{w) G ■Ki{NonFaulty*''^{A)). 
Thus, there is a run Qi e NonFaulty{A), s.t. 'Kiiw) = TTi{tr(g)) = TTi(tr{gi)) 
and as equation ([1]) of Lemma [1] is satisfied, A is not (Z\, f )-codiagnosable. 

For the converse, assume A is not (zi, i?)-codiagnosable. By Lemma [1] equa- 
tion dD) is satisfied and: 

- there is a run g with tr{g) G Faulty^ ^{A)] 

- for each i, there is some gi G NonFaulty(A) s.t. '!^i(tr{g)) = TTi{tr{gi)). Hence 
tr{g) G 'K~^{T7i{NonFaulty''{A))) for each i, 

and this implies that equation [2] does not hold. □ 

4 Algorithms for Codiagnosability Problems 
4.1 (.^, £)-Codiagnosability (Problem [4]) 

Deciding Problem^] amounts to checking whether equation[2]holds or not. Recall 
that A = (L, /q, X, ^T.f, E, Inv). Let t be a fresh clock not in X. Let Af{A) = 
{{L X {Q,l)){J {Bad}, {lo,id),X {J {t},Sr,EfJnvf) with: 

- ((^, n), g. A, r, (£', n)) G £;/ if (^, g. A, r, f ) G A G i: U {r}; 

- {{t, 0), g, T, r U {t}, (f , 1)) G Ef if (£, g, /, r, f ) G E- 

- for £ G L, ((^, l),t > A,T,0,Bad) G -B/; 

- Invf{{i,n)) = 

A-'^(Z\) is similar to A but when a fault occurs it switches to a copy of A (encoded 
by n = 1). When sufficient time has elapsed in the copy (more than A time units), 
location Bad can be reached. 

The language accepted by A^{A) with the set of final states {Bad} is thus 
C*{Af{A)) = Faultyy^{A). Define A, {L,Iq, X.„ Ur, E„ Invi) with: 

- Xi = {x^ I X G X} (create copies of clocks of A); 

- (i, gi, A, ri,£') G Ei if {i, g, A, r, i') e E, \ e SiU {r} with: is g where the 
clocks X in X are replaced by their counterparts in Xi] is r with the 
same renaming; 

- {£, gi, T, ri,l') G E, if (f , g. A, r, f ) G A G ^7 \ ^7, 

- Invi{£) = Inv{t) with clock renaming (x* in place of x). 

Each accepts only non- faulty traces as the /-transitions are not in Ai . If the 
set of final locations is L for each Ai, C*{Ai) = -Ki{NonFaulty^^{A)). To accept 
■K~^{TZi{NonFaulty*^{A)) we add transitions (£, true. A, 0, £) for each location 
I of Ei and for each A G S\Ei. Let A* be the automaton on the alphabet S 
constructed this way. By definition of A*, C*{A*) = -kT^ {Tv^{NonFaulty^''{A))) . 

Define B = A^ (A) x x x • • • x A* with the set of final locations 
Eb — {Bad} X L X ■ ■ ■ X L. We let Rb = 0. Using equation [5] we obtain: 
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Lemma 3. A is {A, £)-codiagnosable iff C*{B) — 0. 

Proof. The sets of clocks of the A^'s and A^{A) are disjoint: for each 1 < i < 
j < n, X,n Xj and X, n X = 0. It fohows from Fact [U that C*{B) = 
C*{Af(A)) n (fl-Li By Lemma [2] and the construction of A^ (A) and 

the Ai's, the resuh follows. □ 

The size of the input for problemHis \A\+logA + n-\U\. The size of A^' (A) 
is (linear in) the size of A and logZi, i.e., + logZ\). The size of A* is also 

bounded by the size of A. If follows that |A-'^(Z\)| + \ bounded by 

(n + 1)|A| and is polynomial in the size of the input of problem H) We thus have 
a polynomial reduction from Problem |4] to the intersection emptiness problem 
for TA. We can now establish the following result: 

Theorem 6. Problem^is PS PACE- complete for Timed Automata. It is already 
PSPACE-hard for Deterministic Finite Automata. 

Proof. PSPACE-easiness follows from the polynomial reduction described above 
and Lemma [31 PSPACE-hardness is obtained by reducing the variant of the 
intersection emptiness problem for DTA to the (A, f )-codiagnosability problem. 
This problem is PSPACE-hard (Proposition [T]). 

Let Ai,l < i < n, he n deterministic finite automata over the alphabet S. 
Assume Ai has one accepting state and for A2, • • • , An all states are accepting. 

We construct B as shown on Figure [T] 02, • ■ • , a„ are fresh letters not in S; 
the target state of Oi is the initial state of Ai. The initial state of B is l. Let 
Ei = E \ {ai} for each 2 < i < n. From the final state of Ai there is a transition 
labeled / to a new state e. 

We can prove that B is (1, f )-diagnosable if and only if n^^^C* (Ai) — with 
£ = {Si)i<i<n- Assume w e Pif^iC* {Ai) ^ 0. Take the run of trace t.w.J.t in 
B. This run is 1-faulty. For each 2 < i < n, there is a run of trace ai.w which is 
non faulty. Moreover, iZi^ai.w) — w and thus B is not (1, f )-codiagnosable. 

Now, assume B is not (1, f )-codiagnosable. There is a 1-faulty run, and this 
must be a run of trace T.w.f.T with w G £*(Ai), and for each 2 < i < n, there 
is a non- faulty run ft the trace of which is Ui, with 7Ti{ui) = uj. It must be the 
case that Ui = Oi.Wi as otherwise 'Ki{ui) would start with a^, fc 7^ i and thus it 
would be impossible to have 'Ki(ui) = w. As Ui = Ui.Wi, 7Zi{ui) = Wi = w, and 
w G C*iA,), it follows that w e nf^-i^C*{Ai) and thus nf^i/:*(A,) is not empty. 
Finally nf^j£*(Ai) ^ if and only if B is not (1, f )-codiagnosable. 

The size of B is in ©(X^iLi + which is equal to 0(X]"=i 1^*1) ^ 
\A,\ > 1. The size of the input for ProblemHis thus 0(i]"^i \A,\) +n- {\E\-\-n)) 
which is quadratic and thus polynomial in X^^Li 

The intersection emptiness problem for DTA is polynomially reducible to the 
(Z\, f )-codiagnosability Problem and Problem His PSPACE-hard for DTA. □ 
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Fig. 1. Reduction for Theorem |4l Automaton B 



4.2 5-Codiagnosability (Problem [5]) 

In this section we show how to solve the £-codiagnosability problem. The algo- 
rithm is a generalisation of the procedure for deciding diagnosability of discrete 
event and timed systems (see [7] for a recent presentation). 

First notice that A is not £-diagnosable if and only if for all Z\ e N, ^ is not 
(Zi, f )-diagnosable. For standard fault diagnosis (one diagnoser and £ = {S}), 
A is not diagnosable if there is an infinite faulty run in A the projection of which 
is the same as the projection of a non- faulty one [7] . 

The procedure for checking diagnosability of FA and TA slightly differ due 
to specific features of timed systems. We recall here the algorithms to check 
diagnosability of FA and TA [7119) and extend them to codiagnosability. 

Codiagnosability for Finite Automata. To check whether a FA A is diag- 
nosable, we build a synchronized product A^ x Ai, s.t. A^ behaves exactly like 
A but records in its state whether a fault has occurred, and Ai behaves like A 
without the faulty runs (transitions labelled / arc cut off). This corresponds to 
Af{A) defined in section WA\ without the clock A. 

A faulty run in the product A-^ x Ai is a run for which A-^ reaches a faulty 
state of the form {q, 1). To decide whether A is diagnosable we build an extended 
version of A^ x Ai which is a Biichi automaton B B has a boolean variable 
z which records whether A^ participated in the last transition fired by A^ x Ai . 
A state of S is a pair (s, z) where s is a state of A^ x Ai. B is given by the tuple 
((Q X {0, 1} X Q) X {0, 1}, ((go, 0), go, 0), Sr. ^b, 0, Rb) with: 

— (s, z) (s', z') if (i) there exists a transition t : s s' in A^ x Ai, and 
(ii) z' = 1 if A is a move of A^ and z' — otherwise; 

- Rb = {(((«, 1), q'), 1) I ((g, 1), q') eAfx A,}. 
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The important part of the previous construction rehes on the fact that, for A to 
be non Z'-diagnosable, should have an infinite faulty run (and take infinitely 
many transitions) and Ai a corresponding non-faulty run (note that this one 
can be finite) giving the same observation. With the previous construction, we 
have [7]: A is diagnosable iff £'^(i3) = 0. 

The construction for codiagnosability is an extension of the previous one 
adding A2,--- ,An to the product. Let B'^° ~ A^ x Ai x • • • x A„ with Ai 
defined in section 14.11 In B'^° we again use the variable z to indicate whether 
A^ participated in the last move. Define the set of repeated states of B'^° by: 
Rb"" = {(((?, l),9)i 1) I ((9: l),q) ^ Af y. AiX ■ ■ ■ X An}- By construction, a state 
in i?B<:o is: (1) faulty as it contains a component (q, 1) for the state of A^ and 
(2) Af participated in the last move as z = 1. It follows that: 

Lemma 4. A is £-codiagnosable iff C'^{B'^°) — 0. 
Theorem 7. Problem\^is PSPACE-complete for DFA. 

Proof. PSPACE-casiness follows form the fact that checking whether C'^{B'^°) = 
can be done in PSPACE (Theorem [3]). PSPACE-hardness follows from a re- 
duction of Problem [1] to Problem [S] using the same encoding as the one given in 
the proof of Theorem [SI the automaton B of Fig. [T] is not (Z\, £)-codiagnosable 
for any Z\ G N. □ 

Codiagnosability for Timed Automata. Checking diagnosability for timed 
automata requires an extra step in the construction of the equivalent of automa- 
ton B defined above: indeed, for TA, a run having infinitely many discrete steps 
could well be zeno, i.e., the duration of such a run can be finite. This extra step 
in the construction was first presented in |T5]. It can be carried out by adding 
a special timed automaton Div{x) and synchronizing it with A^ x Ai. Let x 
be a fresh clock not in X. Let Div{x) — ({0, 1}, 0, {a;}, Inv) be the TA given 
in Fig. [21 If we use F — and R = {1} for Div{x), any accepted run is time 



X = I; t; X := 




Fig. 2. Timed Automaton Div{x) 



divergent and thus cannot be zeno. Let V ^ Af X Div{x) x Ai and let = 
and Rj) be the set of states where A^ is in a faulty location and Div{x) is in loca- 
tion 1. For standard fault diagnosis, the following holds [19 7 : ^ is diagnosable 
iflt £'^(2?) = 0. 

The construction to check codiagnosability is obtained by adding A2, ■ ■ ■ , An 
in the product. Let V^" = A^ x Div{x) x Ai x ■ ■ ■ xAn- 
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Lemma 5. A is £-codiagnosable iff {V") — 0. 
Theorem 8. Problem\^is PSPACE-complete for TA. 

Proof. The size of V^" is in 0{{n + 1) • \A\) and thus polynomial in the size 
of the input of Problem[5] (|A| + n ■ PSPACE-easiness follows because the 
intersection emptiness problem for Biichi automata can be solved in PSPACE. 
PSPACE-hardness holds because it is already PSPACE-hard for FA. □ 

4.3 Optimal Delay (Problem [6]) 

Using the results for checking f-codiagnosability and (Z\, £)-codiagnosability, we 
obtain algorithms for computing the optimal delay. 

Lemma |4] reduces codiagnosability of FA to Biichi emptiness on a product 
automaton. The number of states of the automaton is bounded by 4 • | 
and the number of faulty states by 2 • This implies that: 

Proposition 2. Let A he a finite automaton. If A is £-codiagno sable, then A is 
(2 • \A\" \ £)-codiagnosable. 

Proof. If C{B'^°) = there cannot be a faulty run of length more than 2 • \A\" 
otherwise at least one faulty state s will be encountered twice on this run, and 
in this case we could construct an infinite faulty run which contradicts the fact 
that = 0. □ 

From Proposition [21 we can conclude that: 

Theorem 9. Problem\^ can be solved in PSPACE for FA. 

Proof. Checking whether A is £-codiagnosable can be done in PSPACE. If the 
result is "yes", we can do a binary search for the optimal delay: start with 
A = 2 - 1 and check whether A is (Z\, £)-codiagnosable. If "yes" , divide A by 
2 and so on. The encoding of 2 • | yl | " has size 0{n- log \A\) and thus is polynomial 
in the size of the inputs of Problem [51 □ 

For timed automata, a similar reasoning can be done on the region graph of X''^°. 
If a TA A is f-codiagnosable, there cannot be any cycle with faulty locations 
in RG{V^°). Otherwise there would be a non-zeno infinite word in C{V'^°) and 
thus an infinite time-diverging faulty run in A, with corresponding non-faulty 
runs in each A^, giving the same observation. Let K be the size of RG{'D'^°). If 
A is f-codiagnosable, then a faulty state in RG{'D'^°) can be followed by at most 
K states. Otherwise a cycle in the region graph would occur and thus C'^{V^°) 
would not be empty. This also implies that all the states (s,r) in RG{'D''°) that 
can follow a faulty state must have a bounded region. As the amount of time 
that can elapse in one region is at most 1 time uniQ the maximum duration of 
a faulty run in V^" is bounded by K. This implies that: 

* The constants in the automata are integers. 
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Proposition 3. Let A be a timed automaton. If A is S -codiagnosable, then A 
is {K , £)-codiagno sable with K — \RG{'D'^°)\. 

The size of the region graph of T>^° is bounded by • {{n + 1)|^| + 1)! • 

2(n+i)|x|+i . ^j(n+i)|x|+i^ rpj^yg ^i^g encoding of constant K has size 0{n ■ \A\). 

Theorem 10. Problem\^can be solved in PS PACE for Timed Automata. 

Proof. Checking whether a TA A is f-codiagnosable can be done in PSPACE. If 
the result is "yes" , we can do a binary search for the maximum delay: start with 
A = K = |i?G(B™)|, and check whether A is (Z\, £')-codiagnosable. If "yes", 
divide Zi by 2 and so on. The encoding of K has size 0{n ■ \A\) and thus is 
polynomial in the size of the input of Problem [51 □ 

5 Synthesis of Codiagnosers 

5.1 Synthesis for Finite Automata 

The synthesis of a codiagnoser for a FA A can be achieved by determinizing n 
versions of A. This is exactly the same procedure that is applied for standard 
diagnosis: assume C is the set of observable events in A, and A is {A, Sq)- 
diagnosable. To build a Z\-diagnoser we proceed as follows [21113) : 

1. build A^ as before and replace the events in S \ Uo by r; recall that / is 
also replaced by r in A^ and a boolean value indicates whether a fault has 
occurred; 

2. determinize A^ and obtain B; 

3. define the set of final states Fb of B by: S — {si, S2, • " ' j si} is in Fb iff for 
each 1 < i < I, Si is a faulty state of A^; 

4. a {A, Z'o)-diagnoser D for A can be constructed as follows: 

(a) let ghe a run of A and w = TTs^{tr{g)). 

(b) if when reading w, B reaches a state in Fb, define D{w) = 1, 

(c) otherwise D{w) = 0. 

Applying this construction for each So = < i < n, we obtain a tuple D = 
{Di,D2, - ■ ■ ,Dn) of diagnosers Di which is a (Zi, f)-codiagnoser for A. Note 
that the size of D is exponential in the size of A (this is already the case for the 
diagnosis problem). 

5.2 Synthesis for Timed Automata 

The synthesis of a diagnoser for timed automata |19| is already more complicated 
than for FA. Timed automata are not (always) determinizable |21 and thus we 
cannot use the same procedure as for FA and determinize A^ . Moreover, checking 
whether a TA is determinizable is not decidable |11| . and it is thus impossible 
to check whether we can use the same procedure. 

The construction of a diagnoser for timed automata [121 consists in computing 
on-the-fiy the current possible states of the timed automaton A-^ after reading a 
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timed word w. This procedure is effective but gives a diagnoser which is a Turing 
machine. The machine computes a state estimate of A after each observable 
event, and if it contains only faulty states, it announces a fault. 

Obviously the same construction can be carried out for codiagnosis: we build 
Mi,l < i < n Turing machines that estimate the state of A. When one Mi's 
estimate on an input i^i-trace w contains only faulty states, we set Di{w) = 1 
and otherwise. This tuple of Turing machines is a {A, £')-codiagnoser. 

Computing the estimates with Turing machines might be too expensive to 
be implemented at runtime. More efficient and compact codiagnosers might be 
needed with reasonable computation times. In the next section, we address the 
problem of codiagnosis for TA under bounded resources. 

6 Codiagnosis with Deterministic Timed Automata 

The fault diagnosis problem using timed automata has been introduced and 
solved by P. Bouyer et al. in 5.. The problem is to determine, given a TA 
A, whether there exists a diagnoser D for A, that can be represented by a 
deterministic timed automaton. 

We recall the result of [5J and after we study the corresponding problem for 
codiagnosis. 

6.1 Fault Diagnosis with Deterministic Timed Automata 

When synthesizing (deterministic) timed automata, an important issue is the 
amount of resources the timed automaton can use: this can be formally de- 
fined [6] by the (number of) clocks, Z, that the automaton can use, the max- 
imal constant max, and a granularity As an example, a TA of resource 
/i = ({c, d}, 2, i) can use two clocks, c and d, and the clocks constraints using 
the rationals —2 < k/m < 2 where k £ Z, and m — 3. A resource ii is thus a 
triple /i — {Z, max, i) where Z is finite set of clocks, max € N and ^ € Q>o is 
the granularity. DTA^ is the class of DTA of resource fi. 

Remark 2. Notice that the number of locations of the DTA in DTA^ is not 
bounded and hence this family has an infinite (yet countable) number of ele- 
ments. 

If a TA A is Z\-diagnosable with a diagnoser that can be represented by a DTA 
D with resource /x, we say that A is (Z\, I?)-diagnosable. P. Bouyer et al. in [S] 
considered the problem of deciding whether there exists a diagnoser which is a 
DTA with resource /i: 

Problem 7 (Z\-DTA-Diagnosability [5]) 

Inputs: A TA A^ {L, /q, X, Urj, E, Inv), zi e N, a resource = {Z, max, ^). 
Problem: Is there any D e DTAfj_ s.t. A is (A, D)-diagnosable ? 

Theorem 11 (P. Bouyer et al., Problem\]\is 2EXPTIME-complete. 
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The solution to the previous problem is based on the construction of a two- 
player game, the solution of which gives the set of all DTA^ diagnosers (the 
most permissive diagnosers) which can diagnose A (or is there is none). 

Let A = (L, /o, X, Srj, E, Inv) be a TA, So Q Define A{A) = [Li U L2 U 
L3, Zq, X U {z}, Srj, -^Ajlnv/i,) as follows: 

— Li = G L}, for i e {1, 2, 3}, i.e., Li elements are copies of the locations 
in L, 

— z is a (new) clock not in X, 

— for ^ G L, Inv{£^) = Inv{£), Inv{P) = Inv{l) ^ z < A, and Inv{^P) = true, 

— the transition relation is given by: 

• for i G {1, 2, 3}, t ^^'"""^ ) A I" if a / / and ^ J^^^ ^, ^ 

• for i G {2, 3}, e i'^ iia^ f and £ J^iZ^ f , 
. £^ JE:L^^^ e'2 if , ^ / and £ f , 

The previous construction creates 3 copies of A: the system starts in copy 1, 
when a fault occurs it switches to copy 2, resetting the clock z, and when in 
copy 2 (a fault has occurred) it can switch to copy 3 after A time units (copy 
3 could be replaced by a special location Bad). We can then define Li as the 
non-faulty locations, and L3 as the Zi-faulty locations. 

Given a resource ^ = (Y,max, ^) (X Ci Y = 0), a minimal guard for /x 
is a guard which defines a region of granularity /z. The (symbolic) universal 
automaton U = ({0}, {0}, S, Efj_, Inv^) is specified by: 

— InVfj,{0) = TRUE, 

— (0, g, a, R, 0) G for each (g, a, R) s.t. a ^ U, R C_ Y, and is a minimal 
guard for /i. 

U is finite because Ef^ is finite. Nevertheless iJ is not deterministic because it 
can choose to reset different sets of clocks Y for a pair "(guard, letter)" {g, a). To 
diagnose A, we have to find when a set of clocks has to be reset. This can provide 
enough information to distinguish Z\-faulty words from non-faulty words. 
The algorithm of [5 requires the following steps: 

1. define the region graph RG{A{A) x U), 

2. compute a projection of this region graph: 

— let (g, a, R) be a label of an edge in RG{A{A) x U), 

— let g' be the unique minimal guard s.t. [g] C Ig'j; 

— let pu be the projection defined by puig, a, R) = {g' , a, RCiY) if a E So 
and Puig, a,R) — T otherwise. 

The projected automaton ^.[^(.^^^(^(Zl) xi^)) is the automaton RG{A{A) xU) 
where each label a is replaced by pi({a). 

3. determinize pu{RG(A{A) x U)) (removing r actions) and obtain i?A,zi,p- 

4. build a two-player safety game Ga,A4l as follows: 

— each transition s — ^ s' in Ha,a.h yields a transition in GA.A.fj. of 
the form: 
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— the round-shaped state are the states of Player 1, whereas the square- 
shaped states are Player states (the choice of the clocks to reset). 

— the bad states (for Player 0) are the states {(£i,ri), • • • , {£k,rk)} with 
both a Z\- faulty (in L3) and a non-faulty (in Li) location. We let Bad 
denote the set of bad states. 

The main results of are: 

— there is a TA D € DTA^s.t. A is (Z\, _D)-diagnosable iff Player can win the 
safety game "avoid Bad" Ga,/1,^; 

— it follows that Problem [7] can be solved in 2EXPTIME as GA,A.tj. has size 
doubly exponential in A, A and fi; 

— a witness diagnoser D of size doubly exponential in A, A and fj, can be ob- 
tained: it is deterministic timed automaton with a set of accepting locations 
F. When the projection w of timed word of A onto So is accepted by D, D 
outputs 1 otherwise it outputs 0; 

— the acceptance problem for Alternating Turing machines of exponential space 
can be reduced to Problem [7] and thus it is 2EXPTIME-hard. 

Another result of [5J is that for Event Recording Automata (ERA), Problem [7] 
is PSPACE-complete. 

6.2 Algorithm for Codiagnosability 

In this section we include the alphabet S a DTA can monitor in the resource /x 
and write /i — {S, Z, max, :^). 

Problem 8 (Z\-DTA-Codiagnosability) 

Inputs: A TA A ~ {L,la, X, Urj, E, Inv), A e and a family of resources 
Hi = {Si, Zi, maxi, -^), I <i <n with S^ C S. 

Problem: Is there any codiagnoser D — (Di, D2, ■ ■ ■ , Dn) with Di e DTA^j^^ 
s.t. A is {A, D)-codiagnosable ? 

To solve Problem |8l we extend the previous algorithm for DTA-diagnosability. 
Let G* be the game GA,A,iii and Badi the set of bad states. Given a strategy 
fi, we let fi{G^) be the outcom^ of when fi is played by Player 0. Given 
w € TW*{S) and a DTA A on S, we let last{w,A) be the location reached 
when w is read by A. 

Lemma 6. A is (A, D)-codiagnosable iff there is a tuple of strategies f s.t. 
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fi{G^) is a timed transition system. 
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Item (2) of Lemma [S] states that there is no word in A for which all the Player 
in the games are in bad states. The strategies for each Player are not 
necessarily winning in each G% but there is always one Player who has not 
lost the game G\ 

Proof. 

If part. Assume there is a tuple of state-based strategies / = (/i,/2,-'' i fn) 
on each game G*, s.t. (2) is satisfied. From (1), each choice of Player in G' 
determines one transition from each square state (see the definition of G' and 
square states in section 16. ip . Thus the graph of G* can be folded into a set 

of transitions q ^'°'^> q' if the choice of Player is g, a, Y in square state 
{q,g,a). This gives a DTA G*''^. We can then build a diagnoser Di defined by 
the DTA as follows: (z) for each state q = {(£i,ri), • • • , {£k,rk)} in G^''^, if all 
the £j are Z\-faulty, q is accepting; (ii) given w G Tr{A), if -KSiiw) € £(G*''^), 
let Di{ir Si{w)) = 1 and otherwise 0. D is a Z\-codiagnoser for A. Indeed, let 
w e NonFaulty^^ [A) . In each game G*"'^, we cannot reach a Z\-faulty state because 
of (2). Hence X]r=i -^[*] ~ Now assume w S Faulty-^ ^{A): In each G*''^ we must 
reach a state qi containing a Z\- faulty state. By (2), there is some j s.t. qj ^ Badj 
and this implies that qj is made only of Z\-faulty states and qj is accepting, thus 

Only If part. For this part we first show that a tuple of strategies / exists and 
then address the state-based problem. Let D = {Di,D2, ■ ■ ■ ,Dn) be the tuple 
of DTA that diagnoses A. For each game G* , define the strategy fi by: let g ~ 
(ffi,^i)(5i,^i,^i)(32, A2)(g2, A2,F2) • • • (5fe, Afe) be a run in G*; f^{g) = {g,a,Y) 
if in Di the symbolic sequence {gi, Ai) • • • (gk, Xk) reaches a location i and there 
is a transition {i,{g,a,Y),i') in Di. By assumption, as Z? is a Z\-codiagnoser, 
for each w € Faulty^ ^{A)^ there is at least one Dj which reaches an accepting 
state after reading i^Zj {w)- 

As a consequence, in the corresponding game, G^ , the state reached is made 
only of Z\-faulty states. Indeed, if a non-faulty state is reachable, then the word 
w is also the projection of a non faulty run. Hence Dj should announce which 
is a contradiction. 

If G NonFaulty^ {A), all the states reached in each G' are non faulty. 

Now assume we have the strategies fi,l < i < n. We can construct state- 
based strategies on each game G\ Given /i, (not necessarily winning) on G^, 
let Ti be the set of bad states reachable in /i(G^). Define the language Ci to be 
the set of words w G Tr{A) s.t. a state in Ti is reachable in /i(G^) when reading 
'^Ei{w)- These are the words on which /i is not winning in G^. 

Let Reach{fi{G^)) be the set of states reachable in G^. There is a strategy 
(/i) to avoid Bi = Reach{G^) \ Reach{fi{G^)). Hence there is a state-based 
strategy /{ that avoids Bi. 

Let 1 < i < n. Consider the game /i+i(G*"''^) restricted to the (projections 
of the) words w G Ci. The idea is that on £i, a strategy fj,j < i is winning in 
G^ . In this restricted game, we define the set Tj+i of bad states that are still 
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reachable. Let Ci+i be the set of words w G Tr{A) s.t. a state in T^+i is reachable 
in the restricted timed transition system /i+i(G'*+^). 

Notice that we can construct a state-based strategy which avoids the same 
states as fi does. For each restricted game fl{G^) we define the diagnoser Di as 
before. If for some i, Ci = 0, we can define the diagnosers Dfe, k > i to always 
announce for each word. 

The tuple /' is a (Z\, f )-codiagnoser for A and all the f'[i] are state-based 
on G\ □ 

From the previous Lemma, we can obtain the following result: 
Theorem 12. Problem\Eis 2EXPTIME-complete. 

Proof. 2EXPTIME-hardness follows from Theorem [III from [F . 2EXPTIME 
easiness is obtained using the following algorithm: 

1. compute the games G^,l < i < n; 

2. select a state-based strategy on each game G"; 

3. check condition (2) of Lemma El 

The sizes of the games are doubly exponential in A, A and the resources 
Hi (recall that Ei is included in /i^). There is a doubly exponential number of 
state-based strategies for each game G*. Once selected we have a DTA G*'"^. 

Checking condition (2) of Lemma [HI can be done on the product A{A) x 
G^''^ X • • • X G"'^. It amounts to deciding whether a location in x Badi x 
• • • Badn is reachable. Reachability can be checked in PSPACE for product of 
TA (Theorem [2]). As the size of the input is doubly exponentian in the size of 
A, this resuhs in a 2EXPSPACE algorithm. 

Nevertheless, there is no exponential blow up in the number of clocks of the 

product. Actually the size of RG{A{A) x G^''' x • • • x G"''=) is \L\ ■ 22'-^'+'^^' 

22i'*i+i''"i , , 1^1^, , 2" |x| . j^n-\x\ ^i^j^ ^ ^Yie maximal constant in A, A, and 
the resources /i^. It is doubly exponential in the size of A, A and the resources 
Hi . Reachability can be checked in linear time on this graph and thus in doubly 
exponential time in the size of A, A and the resources. Step 3 above is done at 
most a doubly exponential number of times 

and the result follows. □ 



7 Conclusion 8z Future Work 

TablelUgives an overview of the results described in this paper (bold face) for the 
codiagnosis problems in comparison with the results for the diagnosis problems 
(second line, normal face). 

Our ongoing work is to extend the results on diagnosis using dynamic ob- 
servers [918] to the codiagnosis framework. 
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